"On my part, I remain committed to the process of dialogue. It is my firm belief that dialogue and a willingness to look with honesty and clarity at the reality of Tibet can lead us to a viable solution."

How Chinese hacked Google, and why India should worry

March 3, 2010

Claude Arpi
rediff (India)
March 2, 2010

The recent announcement by the United States
giant search engine Google that it might withdraw
from China made the headlines in world media. The
Google decision highlighted the aggressiveness of
the Chinese hackers who had been penetrating
cyber fortresses like the Pentagon or the White
House (as well as the PMO or the MEA in India!).

Claude Arpi spoke to Shishir Nagaraja, the
co-author (with Ross Anderson) of The Snooping
Dragon: Social malware Surveillance of the
Tibetan Movement, published by University of
Cambridge Computer Laboratory in March 2009.

Shishir Nagaraja, currently associated with the
Information Trust Institute of the University of
Illinois (US), tells rediff.com, not only about
the Google episode, but also his experience with
the Office of the Dalai Lama in Dharamsala and
the world of hackers, in general.

He believes that we have only seen the beginnings
of the cyberwar, the 'war of tomorrow'. In the
not-too-distant future, it will affect each one of us.

What according to you has happened with Google in China?

From what I could gather, they targetted some
people connected to the Tibetan movement and some mainland activists.

The second aspect is that the infrastructure used
by Google to carry out censorship in China was a
part of the attack. Not very much has been made
public by Google in this regard, so we can't be very sure.

Third, Google itself was a victim and they claim
to have lost intellectual property. What we know
for sure is that the email accounts of the
Tibetan activists were read regularly from IP addresses in China.

What is new in these attacks? One reads that they were highly sophisticated?

No, it is the same old story. Nothing is new. It
is the same thing that we wrote about [The
Snooping Dragon report] or Greg Walton wrote
about [Tracking GhostNet report]. Same thing!

The only new thing is that they have targetted
Gmail addresses, but this was known to us. In
fact, I had approached Google in September [2008]
after the Office of the Dalai Lama's
Representative in New York had got in touch with
me; they had found out that somebody had
maliciously configured their SMTP [outgoing mail]
server so that it would forward all their emails to a certain Google account.

It is interesting because a lot of space is
needed for this and Google has that space. Isn't
it better to use something already available?

The Dalai Lama's Office [in New York] found out
that even that [Google account] space had
overflowed; they had not removed the wiretrap and
the forwarded mail started bouncing from Google.
It is then that they realised what was going on.

When I was approached, I advised them to talk to
Google. Later, on their behalf, I informally
talked to the person in Google responsible for
investigating malicious activity. He said, 'You
can put a formal complaint if you want, but there
is not much that we can do.' This is the response that I got.

Some 30 other companies are said to have been attacked at the same time.

Yes, we had projected [such attacks] in our
report. In fact, the theft of Google's IP is
exactly the sort of attack we warned against. We
had said that more and more people will use
tactics pioneered by the 'Chinese hackers'. The
attack this time is not different; the attack
vector is the same, 'abuse of social trust'.

The [attackers] make your emails look like from
someone you trust, not from a stranger. This is
done by replaying past messages with minor
modifications, and I expect the attackers will
mature to the point of using victim input in real
time to construct attack emails: for instance, by
embedding malware into an attachment even as the victim composes a message.

Now for that part about why Google is behaving
like this [threatening to withdraw]? There are no
new technical reasons for doing so. There might
be business reasons though. It is a tough market.
They don't have a large share in China compared to their competitors.

This could be a face saving excuse or a bargain
striking maneuver, I don't know.

Ultimately, to threaten to withdraw is good for their image?

It is favourable to their image. There is a lot
of anti-China sentiment in the West. [Google's
decision] plays into this, while giving them a
good reason to withdraw, though I am not sure
that they really want to withdraw, because
political censorship climate has remained unchanged in China.

Ten/fifteen years ago, when they came to China,
the Chinese government told them the same thing:
you have to censor the Web. Today, Google says:
'We are negotiating with the Chinese government.
We don't want to censor the Web!' The reasons
stated now to leave the market were valid even when they entered the market.

Playing in a capitalist world, Google knew the
rules of the game, and they were willing to play
by it as long as they turned a profit. It was the
same then, it has not changed, formally or informally.

Since 1989, the Chinese government is clear about their policy of censorship.

Could you tell us your experience with the Office
of the His Holiness the Dalai Lama (OHHDL). Tell
us about Snooping Dragon? It seems to have been
interesting in the sense that you found an
organisation willing to be openly studied, which
not the case for governments, banks, Army, etc.

Yes, it is not usual, though since 2004 there
have been some cases documented through
Congressional hearings. In contrast, by agreeing
to make the findings public, the Buddhists have
shown themselves to be truly enlightened.

Though, from a political perspective, agreeing to
make the subject public made a lot of sense [for
them]. In the diplomatic battle between China and
Tibet, the latter has always sought to portray an
image of a victim set against an aggressive Chinese position.

It played [in favour] of their PR image. However,
banks, governments and companies seek an image of
'nothing is wrong with our security'. But this is
a rational explanation. I don't think His
Holiness invited us with this in mind.

When we were invited to have a look, the OHHDL
was not aware of the extent of damage being
caused by the attacks much less being in a
position to perform accurate diplomatic calculations.

It was quite bad?

Oh, yes, it was bad. Their electronic
infrastructure was completely compromised. The
bad news is that this attack can also be carried
out on any usable computing infrastructure with
very few exceptions, very few people believed in
this assertion when our report came out, but the
successful attacks on Google vindicate our position.

Could, for example, the attackers have known the
position of the Dalai Lama's team before they went to Beijing for talks?

Very much possible if their position [for talks]
was prepared and recorded on the computers. These
days, the OHHDL is fairly tech savvy and use
email and electronic storage for almost all their activities.

The Chinese stole detailed meeting notes, plans
for school construction, basically any data
sitting on an OHHDL computer was lifted. One of
the most important was the refugee database.

It means all the registration details of all the
Tibetans refugees who had fled to India.

The sys-admins took it offline as soon he
realised that the attack was going on. Regarding
the sys-admins, I have a lot of respect for the
decisions they took. They took the right
decisions and the level of response with speed
and accuracy would be in line with the best trained sys-admins.

It is quite commendable really. They found a
problem, and they asked experts for help
immediately without trying to hide the problem or
hoping it would go away. . . they wanted to find
out. They found the best experts to help them.
Usually the IT security culture of most organisations is to hide mistakes.

The sort of openness that the OHHDL has in
matters of general policy as well in the
management of their computer security is very commendable.

It is because of this culture [of openness] that
they were able to discover the extent of
surveillance going on. And for these reasons, we
are much more aware of Chinese info-warfare capability.

To what extent the security holes have been
closed, I am not sure. I don't think they have
been closed. They are very much there and the
attacks might be repeatable; it is a tough problem to solve.

If embassies or government offices can be
attacked, one can presume that it is easier to
penetrate relatively smaller office like the Dalai Lama's?

Yes, you are right. Similarly, if Google can be
attacked, then most companies can be successfully targetted as well.

A news item mentioned that Tibetans would have
stolen data from the Chinese, particularly the
laptop of a lady-member of the United Front Works
Department, the Chinese ministry dealing with the
Dalai Lama's Envoys. Are you aware of this?

I don't know. I have not heard about this.

There is always the question of what constitutes
proof in a computer security investigation. In
the case of the OHHDL, the evidence I have used
during the investigation, wasn't the IP address
of the control server or similar information.

The main evidence comes from the fact that the
Chinese foreign ministry used some of the
intelligence information gathered from electronic
surveillance and used it to apply diplomatic
pressure on those invited to meet with the Dalai Lama.

When the Chinese foreign ministry showed full
knowledge of OHHDL emails -- this constitutes
strong evidence in my eyes -- it showed that
there was Chinese government involvement at some
level, although they might not have carried out the attack themselves.

The ownership of the attack is squarely with the
Chinese government even if they might have
'outsourced' the attack to Chinese cyber-guerrillas.

In our report, we provided additional explanation
on why we chose to point fingers at the Chinese
government. We also considered other theories:
who else could have been motivated to carry out
this attack and why and if they had done it, what would be the evidence.

We have seen strong evidence of Chinese
government involvement, and none to the contrary.

The media has recently dealt at great length on
the so-called independent hackers and the role of the Chinese State.

In my mind, it is a little bit like guerilla
warfare; a much sought-after alternative to
conventional forces. Guerilla warfare provides
plausible deniability to the sponsoring State. If
you consider US-Iraq, US-Afghanistan,
Pakistan-India or Israel-Palestine conflicts, we
often see a model of 'guerilla warfare' playing
out. It appears that such a model of warfare is gaining popularity.

If the quality of the fighters is very good on
the 'open market', why not hire them instead of
training your own and risking bad press.

Don't you think that China has this type of
mindset to use these tactics while it is not present in India?

Well, there are documented cases of India's
intelligence agencies using the underworld
(Dawood versus Chhota Rajan, for example). But
these are home affairs and have little to do with other countries.

In comparison, the Chinese use of guerrilla
hacker networks is quite popular. Timothy Thomas
has documented this quite well [it is referenced
in the Snooping Dragon report].

The Chinese attacks on the OHHDL appear to have
been carried out by semi-skilled amateurs. From
the quality of the work, I can say that it was
not a very skilled person, not a real expert. If
they had experts on hand, then the situation
would have really been different in terms of difficulty analysis.

This points to two things: one: analysis will get
tougher in future as attacks get more
sophisticated, and, second, if amateurs can carry
out successful attacks on Google and OHHDL, then
that signals a very real danger.

About Chinese 'experts': do you believe that many
of them have been trained in the US or the West and later returned to China?

Possibly! But there is no need for a good hacker
to be trained in the US. People with good
computer skills are very much there in countries
like India, Pakistan or China. Some very, very
skilled people might not even have had elementary education.

The Chinese recently closed a 'hacking' school in
Hebei province. Is it eyewash, or will it make a difference?

[These days] there are loads of resources online,
so closing one school won't make a difference for
the same reason that closing a terror school hasn't made a difference.

If someone wants to learn, it does not take much
effort. It is important to understand that the
main innovation is not technological, it is a
psychological one. The entire computer industry
has progressed technologically, but computer
security is not a technology issue.

Technologies are fine, they are there. The
question is the human link. The way humans
interact with computer security is poorly understood by software engineers.

The current technology does not consider humans
as they are: humans are fitted into a user model
of how they are 'supposed' to be. Each time there
is a security problem, security experts are quick
to point to the user's fault! The user did not do
this or that! This mindset has to change.

Technology needs to understand and accept user
behaviour and provide security assurances with
this in mind. We should accept people as they
are, accept the diversity in human behaviour,
there is no point in writing manuals and
designing secure systems for somebody else.

The users are not going to do change, so user
education is the wrong place to spend security budget.

In their White Paper of Defence, the Chinese
strategy has undergone a shift from 'active
defense', (never attacking someone first, but
being ready to respond if attacked) to 'active
offense'. Don't you think that a nation
practicing this will always be a step ahead of its opponent?

As usual, computer security is quite asymmetric.
It takes less to attack than to defend. You have
only to find one hole to be successful in attack,
while defence has to plug all the holes.

For this reason, it appears that attacking is
easier than defending, computer systems or physical world security.

Recently, an article in the Indian Press affirmed
that the National Technical Research Organisation
which deals with cyber attacks in the government
pretends that their Rapid Action Group can tackle
an attack in less than 90 minutes. What are your views on this?

Assuming they mean 'any' intrusion, it is highly,
highly unlikely to be true. If it was true, it
would be a five-star research contribution, probably worth a Nobel Prize.

Instead, if they are claiming that the exact same
attack would be detectable that's straight
forward but close to useless in defending against
future attacks (they won't be the same as past attacks).

Attacks don't repeat the same way. . . why should
they? They always evolve. To prove that nobody
can steal an organisation's data, you have to
prove that every hole has been closed.

[However] there are not just bugs in software;
there are also bugs in human operation. For
example the attack on the OHHDL was not due to a
computer bug, the software defects were there,
but they were incidental to the attacks.

When humans authenticate emails, they do so based
on socio-cognitive signals based on the text of
the email. It is a highly sophisticated pattern
analysis-based authentication mechanism that is used by humans.

The attackers found a way to beat it by simply
replaying the text. In this type of an attack,
detectability is very low. If the attacker
decides to intrude and stay around your network,
it might take a couple of years before he/she is
detected, [he can remain dormant].

In the case of the OHHDL, they were probably
there for a year or so. The attackers were
detected, because they increased the frequency of
attacks way too much. They made two mistakes: one
they replayed emails too many times, and second,
they showed that they knew some information that
they could have not known without spying.

But the attackers will learn and the second
generation of social malware attacks will be more
covert. Will we detect them? Unlikely! In half an hour? Very, very unlikely!

When the Pentagon or the White House have been
penetrated [in the past], it took [sometimes]
years to find out. They are ways to remain
covert, attack covertly (no replays), transmit
covertly (using covert channels/'96 there are lots of them).

Presence of attacks on OHHDL could be found out
[relatively easily]. But if they deployed covert
communication over the Internet to transfer
stolen information, then they can remain
virtually undetectable for a very long time.

Recently, DefExpo India 2010 was held in Delhi.
The Indian government is planning to spend Rs
50,000 crore (Rs 500 billion) in military
hardware, don't you think that it is not the 'war of yesterday'?

Oh, yes! Absolutely! What you mentioned is
conventional warfare. Now we are speaking of
guerilla warfare. A significant national security
risk to India lies in the area of computer
security which can't be addressed with Sukhois.

With the increasing reliance on computer
networks, India's information infrastructure is
growing rapidly. The budget for computer security has to increase too.

There is a very real risk that China has control
over significant parts of the government's
computer infrastructure. Military capability will
mean little if the enemy has high quality intelligence.

Supremacy in information security is crucial, for
economic security reasons too. For example, how
to protect IP from India's software industry from
being stolen? Social malware can be used to steal software.

Another example involves injecting false data
into accounting systems. Each company has an
accounting system which is automated using
computers. Social malware can be used to infect a
majority of the computers of an accounting system.

With banks having a hard time coping with 1 per
cent of customer machines being infected, how can
a company run an accounting system with 50 per
cent of its machines being compromised?

The scale of such economic fraud could run into
hundreds of millions of dollars. And it is increasing, even as we speak.

We all need security against social malware
attacks. Political organisations could be hit and
have their political secrets revealed. Consumers
and business organisations will be hit by accounting frauds.

In today's economic climate, such frauds might be
enough to put small companies out of business.
Today, even for a small company, you can't do
your accounts manually. . . if a malware
introduced false transaction amounts of Rs 10,000
or Rs 15,000, this won't even be noticed until it
is too late and money has been siphoned off using Western Union.

If the behaviour of banks in the case of ATM
frauds is anything to go by, then banks will
simply dump the liability on the end users saying
'it is your fault; the malware was in your computer.'

The negative fallout will always have to be taken
by the customers who do not have the means to
defend themselves. I foresee that we will witness
new instances of social malware attacks,
targetting businesses and individuals in the near future.

Tell us something about your project in India

I will move to India shortly. I will take a
position of Assistant Professor at the IIIT Delhi
and, with a group of three colleagues, will start
a Security Group conducting research and teaching in computer security.

We have a Master's and a PhD programme. My first
priority will be to carry out a comprehensive
analysis of the scale of computer crime in India.
Today, this research is carried out by people from outside [India].

To carry out defensive actions, we have to know
the scale of exposure to [computer piracy]. What
we did for the OHHDL, we will do for various
companies and governmental organisations. It
means high level audits. It is a lot of work. All
the information is scattered today, it may take a
while to get the data, analyse it, publish the
results and take remedial measures.

The government can't do everything, but it can
start programmes to improve computer security for the public.